GNU logs - #27462, boring messages


Message sent to bug-guix@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#27462: OCaml CVE-2015-8869 
Resent-From: Leo Famulari <leo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Fri, 23 Jun 2017 16:42:02 +0000
Resent-Message-ID: <handler.27462.B.149823610921360 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 27462
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 27462 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.149823610921360
          (code B ref -1); Fri, 23 Jun 2017 16:42:02 +0000
Received: (at submit) by debbugs.gnu.org; 23 Jun 2017 16:41:49 +0000
Received: from localhost ([127.0.0.1]:34687 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dOReX-0005YS-77
	for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:41:49 -0400
Received: from eggs.gnu.org ([208.118.235.92]:47529)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dOReV-0005YF-QX
 for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:41:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1dOReP-00080F-TL
 for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:41:42 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:49297)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1dOReP-000809-Px
 for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:41:41 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38493)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1dOReO-0002up-MT
 for bug-guix@HIDDEN; Fri, 23 Jun 2017 12:41:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1dOReL-0007y7-Ct
 for bug-guix@HIDDEN; Fri, 23 Jun 2017 12:41:40 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46793)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1dOReL-0007wO-5k
 for bug-guix@HIDDEN; Fri, 23 Jun 2017 12:41:37 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 5C5242086A;
 Fri, 23 Jun 2017 12:41:32 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Fri, 23 Jun 2017 12:41:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=omD
 FSVGWCgnhbXNAdQuos+RlS1DZcsIn1OSVEOhUduM=; b=G5A5oG3XYcDANC7LWjJ
 8b2emM6SafJ+Y/MWTh9a7NHrCUTU6cw2cH0lHxnflObLdDDmvcY3JuxU3krrP2ZL
 Z+NVcwR46eeXC12i/uxqgaITSQAuUfbUCjovMFTYjqLNRqPVLa9BXzKip4ROSvqo
 eLQHMUjW76dn+JmsWNuyEeS4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=omDFSVGWCgnhbXNAdQuos+RlS1DZcsIn1OSVEOhUd
 uM=; b=g9a2p1YL2cegO3oZIi1oWpkMBOAHDaOtZGEYnVb6cs4lfsCVG085hS7Mn
 Cq5eNGIqh1WWsdwu4goEEAGT41xHvMQuuT48x5fwFmO2svnVWROB2hr222FaxVso
 qrd7uHRD/LOpGuhJcKdX8Hrm0OI41hOc8etvAqVZbvtk3mblmF6FmQOKh3Q0CKLt
 U5PfxEBym+bb6qf8v7i5bnGt3tTSeHsagY4uSR9BHqv+G+932QSgv9ETWvaFzo+8
 FDlfyWMud2TwxAbUCyT+k98H1U7NR5UtnNkbV51vv3UTT25tILFpVIRhKTTXENsY
 8ylAeMKdGBI+4yiCp2mA3r0lXbTXA==
X-ME-Sender: <xms:vERNWSC_TFCunGdXL-JijYc937y2271N6C12NffHr67b5lRWAYP3GQ>
X-Sasl-enc: DoeiwOnrFryMdJ0vQqyDZTbz4exkyejlb9w/UPqOg9qZ 1498236092
Received: from localhost (unknown [128.64.129.7])
 by mail.messagingengine.com (Postfix) with ESMTPA id 12BB07E74F
 for <bug-guix@HIDDEN>; Fri, 23 Jun 2017 12:41:32 -0400 (EDT)
Date: Fri, 23 Jun 2017 12:41:29 -0400
From: Leo Famulari <leo@HIDDEN>
Message-ID: <20170623164129.GA4417@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
in the primary ocaml package in April 2016. Unfortunately, this patch
was not included when the ocaml-4.01 package was created in January
2017.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

Do we need this older version of OCaml? If so, we need a volunteer to
maintain it.

--n8g4imXOkfNTN/H1
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRLkACgkQJkb6MLrK
fwj7iBAApfFEXyT3GtGhl6f1H2JaDeFv6ckXtJ+fn2ZZIEtD3sC7x3dyRhZekDKz
cPRv9GHwB7jdmrNm9xwlYrWs58t3hE7k2u8+bBVGdoPruysyt3z+FY3VGyr3WG8r
FPqNLYKK+V2iPEibehBg1s0Y8+V1oYDUQoa5Za2lNvQCimt0cZ6pT+W519bqqckG
eywFYUnT80dKR5B1IOUoSVip0pK9cSoVBpA6tZzB+HzUYN+A/HgRsIUf3pCskpbS
BwFAC4ySCGjiexxIgAw/yQNmRSem8JpIRxlZ3UOqwjN9yW76H0ZY0AQWT56VVvsl
LFAuOXy91lDjV4x0kzcvhfUgMyRgDPLBO70fi3tiasKvp650f57Ur8AJ1Wb1eTfw
Lip2hzoj/dpSp/ynFqWP0HPwErb6jEObYapByKtz7LpWb7hBPy9bmgA9TFYri+Wt
tjpIeOpn7DMRQ0ynOZdlGEJhW75eyj5CyDCf4g1+sNbk67faBAnflPFKxm51g0Mk
UiLmkMa1v2lM6fMHsgY7tVid2mBbczbO0ItuuCJ8SEyTdTXHIf6pB3IhYAnZ72dr
eK+Bbx7J3qEJYAkINHmfKsvDv8l0OUQ9+3wJa6U9GyawVSlTaUzkuxgN+vYB/IYB
aFUmaihSG7+fK8i7iGcV7mgPtyMUbvJdpi0ODWz95I5BfJ2YUGU=
=xkqn
-----END PGP SIGNATURE-----

--n8g4imXOkfNTN/H1--




Message sent:


Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Leo Famulari <leo@HIDDEN>
Subject: bug#27462: Acknowledgement (OCaml CVE-2015-8869 )
Message-ID: <handler.27462.B.149823610921360.ack <at> debbugs.gnu.org>
References: <20170623164129.GA4417@HIDDEN>
X-Gnu-PR-Message: ack 27462
X-Gnu-PR-Package: guix
Reply-To: 27462 <at> debbugs.gnu.org
Date: Fri, 23 Jun 2017 16:42:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-guix@HIDDEN

If you wish to submit further information on this problem, please
send it to 27462 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
27462: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D27462
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems


Message sent to bug-guix@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#27462: OCaml CVE-2015-8869
Resent-From: Ben Woodcroft <b.woodcroft@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sat, 24 Jun 2017 00:27:01 +0000
Resent-Message-ID: <handler.27462.B27462.149826396431751 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 27462
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Leo Famulari <leo@HIDDEN>, 27462 <at> debbugs.gnu.org
Received: via spool by 27462-submit <at> debbugs.gnu.org id=B27462.149826396431751
          (code B ref 27462); Sat, 24 Jun 2017 00:27:01 +0000
Received: (at 27462) by debbugs.gnu.org; 24 Jun 2017 00:26:04 +0000
Received: from localhost ([127.0.0.1]:34952 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dOYto-0008G2-7H
	for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 20:26:04 -0400
Received: from mailhub2.soe.uq.edu.au ([130.102.132.209]:35672
 helo=newmailhub.uq.edu.au)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <b.woodcroft@HIDDEN>) id 1dOYtl-0008Fb-9d
 for 27462 <at> debbugs.gnu.org; Fri, 23 Jun 2017 20:26:02 -0400
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40])
 by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id v5O0PtGl003082;
 Sat, 24 Jun 2017 10:25:57 +1000
Received: from [192.168.1.105] (static.customers.nuskope.com.au
 [103.25.181.216] (may be forged)) (authenticated bits=0)
 by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id v5O0Prvp026879
 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
 Sat, 24 Jun 2017 10:25:54 +1000
References: <20170623164129.GA4417@HIDDEN>
From: Ben Woodcroft <b.woodcroft@HIDDEN>
Message-ID: <faae92d6-1f30-9e7f-4e56-f7c69a794388@HIDDEN>
Date: Sat, 24 Jun 2017 10:25:52 +1000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <20170623164129.GA4417@HIDDEN>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-UQ-FilterTime: 1498263958
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi Leo,


On 24/06/17 02:41, Leo Famulari wrote:
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to 
build pplacer, a bioinformatics program. I was planning on submitting 3 
further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an old 
release, especially since the OCaml maintainers do not appear to be 
either, AFAICS.

This is a little frustrating, but perhaps they should be removed. WDYT?

ben




Message sent to bug-guix@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#27462: OCaml CVE-2015-8869
Resent-From: Leo Famulari <leo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sat, 24 Jun 2017 16:04:02 +0000
Resent-Message-ID: <handler.27462.B27462.149832019214428 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 27462
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Ben Woodcroft <b.woodcroft@HIDDEN>
Cc: 27462 <at> debbugs.gnu.org
Received: via spool by 27462-submit <at> debbugs.gnu.org id=B27462.149832019214428
          (code B ref 27462); Sat, 24 Jun 2017 16:04:02 +0000
Received: (at 27462) by debbugs.gnu.org; 24 Jun 2017 16:03:12 +0000
Received: from localhost ([127.0.0.1]:35847 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dOnWh-0003kd-UC
	for submit <at> debbugs.gnu.org; Sat, 24 Jun 2017 12:03:12 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42381)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dOnWe-0003kR-6z
 for 27462 <at> debbugs.gnu.org; Sat, 24 Jun 2017 12:03:09 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8A495206F0;
 Sat, 24 Jun 2017 12:03:07 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sat, 24 Jun 2017 12:03:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=3kZWJY3K1CdLCtEGjaMzzYknAYoBC1nzYTOMy9
 aLjI4=; b=OnmVQ1N3h0rZOt6gaPjBQFXe+Qw+oSOCyIrrV9B7b8TQsdVchvgp35
 c2hFI35DUdnkTXHVmC1D6B/NVRyQSpneLQeQpnr1o6rCy8tfCSIf/zBovNYDYrJM
 CnaiYc6KHG12Cm/mPEmw4lMEbALb9ZL4jVDhDHtV9VRg4r2Q2ibQY=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=3kZWJY3K1CdLCtEGja
 MzzYknAYoBC1nzYTOMy9aLjI4=; b=gX5O+LId6vnf4sIVBUE30C5TDZzpy8klPI
 UvGe7DrCgNAxB5/LW1SfLGdx8NQhX5NhroNKWiAomibh735Fz+lFRCbzFvj2RRRl
 zs85DfbE3eU3Nv9zLX0KhR+CNdaSGm20On2K7vkaYT4Di3U/xO/bhrCbbzNtS+Xs
 My6Vygv96Ono35ACEUSv0ulPzl73bRH7h7GFBwfLqGY6Omc9YX78xXRNETgrPUe9
 X/+DlcU5t6DLmJI3NSZnrx5d6ZcB7ct29lRVMTqI59c4fZr6wIvhV3HOZRgsqr/r
 udg9zCPpKXoV8FXtTonG9I6ERaiLzo0Tm6AFvoQHbH5wmOSLHpGw==
X-ME-Sender: <xms:O41OWTGxHwXQgBmFWztqyvG40cwDJDxCZYaLLcYxVcdLRVsf0mEccg>
X-Sasl-enc: 7nJa4b3uWLj5Bho5WcwDVXKa2hTUWLVgecUvb3g6PM+o 1498320187
Received: from localhost (unknown [128.64.129.7])
 by mail.messagingengine.com (Postfix) with ESMTPA id 49D0524370;
 Sat, 24 Jun 2017 12:03:07 -0400 (EDT)
Date: Sat, 24 Jun 2017 12:03:04 -0400
From: Leo Famulari <leo@HIDDEN>
Message-ID: <20170624160304.GA10364@HIDDEN>
References: <20170623164129.GA4417@HIDDEN>
 <faae92d6-1f30-9e7f-4e56-f7c69a794388@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline
In-Reply-To: <faae92d6-1f30-9e7f-4e56-f7c69a794388@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> >=20
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8869
> >=20
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
>=20
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to bui=
ld
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
>=20
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be eithe=
r,
> AFAICS.
>=20
> This is a little frustrating, but perhaps they should be removed. WDYT?

That is a last resort :)

We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.

--AqsLC8rIMeq19msA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllOjTUACgkQJkb6MLrK
fwgSKQ//aoiWbnyCnqhrYiyAuLIzKqeETBMkJ6pC15WwSkVhbgevPtS8lwh5h/4P
zQVzjF6GaWv4Z5R0CmeJj4bJfEAmy/KVF8jmYt7k5RLm1xPMQwTB5sPMDrxJYP2A
9ulznVmgaCNu3OMS/RbbF/oir5w5wDpvfSUR2gQYgv+rmKaFnyasHcj8NuORYzPU
mn91KRvyvGspxrN0a2c1lC7GxHOPP25BhOH0drj2qw7vsYqciS8TWKYD2z2JXOKD
AAsTg/5V49SI77sQiNcb+DP4pLSfRhnRoAHmJofY+1RPfVBds32XUUkH27G22ra6
2kod8G/bFi5howelqkJue3WjOF+xhh9rC/4NaDDZfHEgpMF5Jb7QjWLA+b3Gv1Xd
Ti57UYHLCCbT1/9g4q1XOzwhd2QVAucNgZPf6b5MwFneQpdk/fzB5579piq0MscI
mgxjL2yLz8smyRi5s/4z2V8HCizhxjqnxQA8d4p0g5O6qZSp8nrNu1oeeptGWfb1
bVVeciwBjKHpTYAqkqp4BQ7ydr2zSj0anj+75AgrA+nDMISuALuFZAHjAsMDOCdi
ftfqI21rNlxFwyEkHJ6fcPyUPrmj8rL/qiCcRZWvi+RlMvxekIRpEaUl7d3YP8uA
7ptVtpSffUoiMHnBipJlo9CSs/htOPwflB22C97ApmkHh0nVPhc=
=Vk0b
-----END PGP SIGNATURE-----

--AqsLC8rIMeq19msA--




Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 27 Jul 2017 12:25:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jul 27 08:25:45 2017
Received: from localhost ([127.0.0.1]:58002 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dahrN-0004D0-F3
	for submit <at> debbugs.gnu.org; Thu, 27 Jul 2017 08:25:45 -0400
Received: from eggs.gnu.org ([208.118.235.92]:58854)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1dahrL-0004Cb-Qe
 for control <at> debbugs.gnu.org; Thu, 27 Jul 2017 08:25:43 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1dahrG-00013e-2w
 for control <at> debbugs.gnu.org; Thu, 27 Jul 2017 08:25:38 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:55963)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1dahrF-00012y-NE
 for control <at> debbugs.gnu.org; Thu, 27 Jul 2017 08:25:37 -0400
Received: from [193.50.110.224] (port=37438 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1dahrE-0006KN-Gd
 for control <at> debbugs.gnu.org; Thu, 27 Jul 2017 08:25:37 -0400
Date: Thu, 27 Jul 2017 14:25:35 +0200
Message-Id: <87r2x23w3k.fsf@HIDDEN>
To: control <at> debbugs.gnu.org
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #27462
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

tags 27462 security




Message sent to bug-guix@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#27462: OCaml CVE-2015-8869
References: <20170623164129.GA4417@HIDDEN>
In-Reply-To: <20170623164129.GA4417@HIDDEN>
Resent-From: Andreas Enge <andreas@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 31 Jan 2019 16:58:02 +0000
Resent-Message-ID: <handler.27462.B27462.154895384614344 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 27462
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security
To: 27462 <at> debbugs.gnu.org
Cc: Ben Woodcroft <b.woodcroft@HIDDEN>
Received: via spool by 27462-submit <at> debbugs.gnu.org id=B27462.154895384614344
          (code B ref 27462); Thu, 31 Jan 2019 16:58:02 +0000
Received: (at 27462) by debbugs.gnu.org; 31 Jan 2019 16:57:26 +0000
Received: from localhost ([127.0.0.1]:53223 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gpFeY-0003jI-KB
	for submit <at> debbugs.gnu.org; Thu, 31 Jan 2019 11:57:26 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:42184)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <andreas@HIDDEN>) id 1gpFeW-0003j8-1I
 for 27462 <at> debbugs.gnu.org; Thu, 31 Jan 2019 11:57:25 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 798B99A95;
 Thu, 31 Jan 2019 17:57:22 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0Yoymwj22hNZ; Thu, 31 Jan 2019 17:57:21 +0100 (CET)
Received: from jurong (cable-78.29.213.16.coditel.net [78.29.213.16])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id D3BE99A8E;
 Thu, 31 Jan 2019 17:57:20 +0100 (CET)
Date: Thu, 31 Jan 2019 17:57:03 +0100
From: Andreas Enge <andreas@HIDDEN>
Message-ID: <20190131165613.GA27597@jurong>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.11.0 (2018-11-25)
X-Spam-Score: 0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

Hello,

this bug has been open for quite a while, and the development of pplacer seems
to be stalled, with the latest commit in May 2018, and no reaction whatsoever
to Ben's bug report
   https://github.com/matsen/pplacer/issues/354

How should we continue? Are people using the software, or should we maybe
remove it?

Andreas






Last modified: Thu, 31 Jan 2019 17:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.